Can someone explain when and how often each of the Windows RPC ports are used? The "core" ones I understand are:

Port 135Port 137Port 139Higher ports that are published by Port 135"s "catalog"

Then I heard that Port 145 came into the mix lớn "make things better" with NBT/TCP but I"m not sure how this fits in with the sequence of a Windows client initiating an RPC action.

Bạn đang xem: Port 135

Can anyone help me fix my understanding of RPC ports once and for all?


This TechNet article is fantastic, I recommend you bookmark it. It lists the ports used by various Windows services và is quite thorough.

In versions of Windows earlier than Vista/2008, NetBIOS was used for the "RPC Locator" service, which managed the RPC name service database. But in Vista/2008 and beyond, the RPC Locator service is no longer necessary or useful. It"s vestigial. From this point on I am only going khổng lồ talk about MSRPC on Vista/2008+.

Ports 137, 138 and 139 are for NetBIOS, và are not required for the functionality of MSRPC.

All the ports used by RPC are as follows:

RPC EPM TCP 135 RPC over HTTPS TCP 593 SMB (for named pipes) TCP 445Ephemeral Range, Dynamic *Other applications, such as Remote Desktop Gateway, will use RPC over HTTP proxy & use port 443, etc.

Xem thêm: Bảng Ngọc Caitlyn Mùa 11

Although the article I linked khổng lồ above lists the NetBIOS ports, those are legacy & are not required for RPC, assuming you can acquire name resolution through other means (DNS,) và assuming the remote service itself is not dependent on NetBIOS.

Port 145 is bogus. It"s not used for anything. Wherever you heard that it "makes things better," is wrong.

Basic MSRPC uses ports 135, và the high-numbered dynamic range. That high-numbered dynamic range is ports 1024-5000 on XP/2003 và below, and 49152-65535 on Vista/2008 and above. You can also call that port range ephemeral ports.

You can define a custom port range if you wish, lượt thích so:

reg add HKLMSOFTWAREMicrosoftRpcInternet /v Ports /t REG_MULTI_SZ /f /d 8000-9000reg địa chỉ cửa hàng HKLMSOFTWAREMicrosoftRpcInternet /v PortsInternetAvailable /t REG_SZ /f /d Yreg địa chỉ cửa hàng HKLMSOFTWAREMicrosoftRpcInternet /v UseInternetPorts /t REG_SZ /f /d YAnd/Or

netsh int ipv4 mix dynamicport tcp start=8000 num=1001netsh int ipv4 mix dynamicport udp start=8000 num=1001netsh int ipv6 mix dynamicport tcp start=8000 num=1001netsh int ipv6 set dynamicport udp start=8000 num=1001TCP port 135 is the MSRPC endpoint mapper. You can bind to lớn that port on a remote computer, anonymously, và either enumerate all the services (endpoints) available on that computer, or you can request what port a specific service is running on if you know what you"re looking for.

Let me show you an example of querying the RPC Enpoint Mapper:

C:>PortQry.exe -n -e 135Querying target system called: lớn resolve IP address khổng lồ a name... IP address resolved to host01.labs.myotherpcisacloud.comquerying...TCP port 135 (epmap service): LISTENINGUsing ephemeral source portQuerying Endpoint Mapper Database...Server"s response:UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0dncacn_ip_tcp:<49152>UUID: 12345778-1234-abcd-ef00-0123456789acncacn_np:<\pipe\lsass>UUID: 12345778-1234-abcd-ef00-0123456789acncacn_ip_tcp:<49159>UUID: 6b5bdd1e-528c-422c-af8c-a4079be4fe48 Remote Fw APIsncacn_ip_tcp:<49158>UUID: 367abb81-9844-35f1-ad32-98f038001003ncacn_ip_tcp:<49157>UUID: 12345678-1234-abcd-ef00-0123456789abncacn_ip_tcp:<49155>UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1ncacn_ip_tcp:<49155>UUID: ae33069b-a2a8-46ee-a235-ddfd339be281ncacn_ip_tcp:<49155>UUID: 4a452661-8290-4b36-8fbe-7f4093a94978ncacn_ip_tcp:<49155>UUID: 76f03f96-cdfd-44fc-a22c-64950a001209ncacn_ip_tcp:<49155>UUID: 7f1343fe-50a9-4927-a778-0c5859517bac DfsDs servicencacn_np:<\PIPE\wkssvc>UUID: 3473dd4d-2e88-4006-9cba-22570909dd10 WinHttp Auto-Proxy Servicencacn_np:<\PIPE\W32TIME_ALT>UUID: 1ff70682-0a51-30e8-076d-740be8cee98bncacn_np:<\PIPE\atsvc>...Total endpoints found: 50==== end of RPC Endpoint Mapper query response ====You will notice that if you perform that query on the local computer, you will find many more endpoints than if you perform the query from a remote computer. That"s because many RPC endpoints are not exposed remotely and are only used for local interprocess communication.

Further reading: